December 3, 2010

Subscribe

ProFTPD 1.3.3c Briefly Backdoored by Hackers

Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.

The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.

If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:

8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2

4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz

Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit.